Supply chain risk scanner

Paste your dependencies.
See what's hiding.

Four packages in a typical project are CRITICAL right now: chalk (418M downloads/week, 1 maintainer), zod (158M, 1 maintainer), axios (99M, 1 maintainer), hono (34M, 1 maintainer). Stars and READMEs don't show this. Behavioral signals do.

Package names — one per line, or comma-separated (max 20)

↓ Drop package.json, package-lock.json, yarn.lock, pnpm-lock.yaml, or requirements.txt Lock files scan ALL transitive dependencies — not just the top 20

No install. No API key. Lock files scan all transitive deps (top 20 shown). Source code →

Package	Score	Risk	Maintainers	Weekly DL	Age	Trend

Want this in your AI assistant?

{
  "mcpServers": {
    "commit": {
      "type": "streamable-http",
      "url": "https://poc-backend.amdal-dev.workers.dev/mcp"
    }
  }
}

Add to Claude Desktop, Cursor, or any MCP client. Then: "Audit my package.json for supply chain risk"

Transitive risk

The risks you don't see coming

Your package may look fine. Its dependencies may not. The Anthropic SDK scores healthy — but two of its transitive dependencies are CRITICAL. Neither shows up in a direct audit.

Depth

npm only · max depth 2 · up to 20 nodes

What the score measures

Longevity How long has this package existed? Abandoned projects get reactivated for attacks.

Maintainer depth Single maintainer + millions of weekly downloads = the attack surface LiteLLM exploited.

Release consistency Regular releases signal active oversight. Long gaps = vulnerability accumulation.

Download trend Growing packages attract more scrutiny (and attacks). Stable = lower profile.

Risk flags: CRITICAL = single maintainer + >10M weekly downloads (the ua-parser-js/event-stream attack profile). HIGH = package <1yr old + rapid adoption. WARN = no release in 12+ months.

Want automated monitoring?

Paste your dependencies. See what's hiding.

The risks you don't see coming

What the score measures

Paste your dependencies.
See what's hiding.